An issue exists in one of the components of the Cisco Management Center
for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS IPS
(Intrusion Prevention System) configuration file that may result in some
signatures belonging to certain classes being disabled during the configuration
deployment process.

Cisco has made a free software patch available to address this
vulnerability for affected customers.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details

Some Cisco routers running Cisco IOS include a feature called Cisco IOS
IPS. The Cisco IOS IPS acts as an in-line intrusion protection sensor, watching
packets and sessions as they flow through the router and scanning each packet
to match any of the Cisco IOS IPS signatures that have been enabled on the
device configuration. When it detects suspicious activity, it responds before
network security can be compromised and logs the event through Cisco IOS syslog
messages or Security Device Event Exchange (SDEE). The network administrator
can configure Cisco IOS IPS to choose the appropriate response to various
threats.

Customers can use multiple methods, including Cisco IPS MC, Cisco IDS
MC, Cisco SDM and the Cisco IOS CLI, to enable, disable and configure Cisco IOS
IPS signatures. Some signatures dealing with TCP or UDP traffic analyze traffic
destined to specific ports. Those ports are pre-configured with default values,
and some signatures might allow changes to the list of ports to be
monitored.

If the Cisco IOS IPS devices have been configured by using the Cisco
IPS MC v2.1, the Cisco IPS MC might download a configuration file to the device
that does not contain a value for the port field in one or more signatures,
resulting in the affected Cisco IOS IPS device disabling those signatures. Only
signatures using either the STRING.TCP or STRING.UDP signature micro-engine
(SME) are affected by this vulnerability. Additionally, this behavior only
happens if those signatures were enabled and configured from the Cisco IPS MC
GUI ; signatures belonging to the STRING.TCP or STRING.UDP SMEs that were
previously configured on the device and imported into the Cisco IPS MC will not
experience this issue.

The list of signatures currently loaded into a Cisco IOS IPS device and
their status can be obtained by executing the show ip ips
signatures command. The following abbreviated output shows
signatures currently loaded into the device, both enabled and disabled:

Any signature with a capital N under the 'On' column is DISABLED, while
any signature with a capital Y under the same column is ENABLED. In this
example, signatures 4608:0 and 11000:0 (belonging to the STRING.UDP SME), and
signature 3117:0 (belonging to the STRING.TCP SME) are listed as disabled. For
each signature listed as disabled in the output of the show ip ips
signatures command, a corresponding ip ips signature
<SigID> <SubsigID> disable command should be visible
on the running configuration. This is an example of the show
running-configuration command, using a filter to only display
configuration lines belonging to signatures that have been disabled:

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") for assistance.

Cisco has developed a software fix for this vulnerability. Once the fix
is applied to a VMS server running IPS MC v2.1, the IPS MC will correctly
populate the port field attached to a signature using either the STRING.TCP or
STRING.UDP SME. Additional steps will be required to be performed. Please read
the README file published together with the software fix.

CSCsc33696-w2k-README.txt - this file contains
instructions on how to apply the software fix to an affected IPS MC v2.1
installation on Windows, and any needed pre and post installation tasks to be
carried out by the user.

CSCsc33696-sol-README.txt - this file contains
instructions on how to apply the software fix to an affected IPS MC v2.1
installation on Solaris, and any needed pre and post installation tasks to be
carried out by the user.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was reported to Cisco by a customer.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Revision History

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.